The Internet, also commonly referred to as the “web,” is a global system of interconnected networks that operate according to the Internet Protocol suite, allowing access to an extensive range of information that can be retrieved and accessed using the hypertext transfer protocol (HTTP). The Internet operates in a client-server format that distributes computing tasks and responsibilities between the service or resource providers, commonly referred to as “web servers,” and service requesters, called clients. Typically, web servers are configured to accept requests from all clients, and the HTTP request generally provides little information about the requesting client that would enable the web servers to determine the nature of the client's intentions in making the request. While this open communication model serves to facilitate the transfer of knowledge and information, it may also leave web servers vulnerable to “cyber attacks,” such as denial-of-service (DoS) attacks and distributed denial-of-service (DDoS) attacks.
In a DoS attack, a single client may attempt to overwhelm a server by sending a large number of requests to the server in rapid succession. As a result, an attacked web server may be slow or unable to respond to legitimate requests due to the burdens imposed on the server when servicing a flood of requests from a single malicious client. In a DDoS attack, rather than having a single client make all of the nuisance requests to the server, the attacker utilizes a network of different clients to simultaneously issue requests to the server. Such a network of requesting clients may be at the attacker's disposal, for example, by virtue of an in-place “botnet” in which hundreds or thousands of normal users' computers are infected by malware. This malware may be programmed to respond to commands issued by a central machine or authority, colloquially known as a “bot master.” Bot masters make use of such a collection of infected machines in order to implement a DDoS attack on a server or enterprise.
In a DDoS attack, because the flood of requests may be spread over a large number of disparate clients, each with a different IP address, it may be difficult to detect which requests originate from legitimate clients and which requests originate from malicious clients, such as compromised machines in a botnet. Thus, a server may not be able to determine which requests it should ignore and which requests it should service, because all requests may appear substantially identical over the larger pool of IP addresses. While DDoS attacks may be mitigated, conventional mitigation techniques suffer from a number of drawbacks.
With experience, DDoS hacktivists are becoming sophisticated and can generate more efficient DDoS attacks by sending legitimate-appearing requests from a huge number of network sources targeting the victim servers' computationally expensive components to exhaust the application servers' computational power and stop them from serving legitimate clients. The computationally expensive requests are discovered by the hacktivists during their pre-attack exploration of the victim servers. Because those requests are legitimate, they can bypass mitigations easily; because they are computationally expensive, they can swamp the victim servers with less effort.
More seriously, hacktivists can rotate their attacking requests every so often to defeat traditional signature-based filters configured manually on mitigation platforms. In order to mitigate a DDoS attack like this, operators usually need to identify the attack patterns first and then configure their mitigation platforms with the patterns. Because this is a relative manual process, it cannot keep up with the variation of the attacking requests and results in sluggish mitigation. There is therefore a need for methods and systems for overcoming these drawbacks and other challenges of identifying and mitigating a DoS attacks.